Post navigation

If you are one of the small number of Office 365 users who enjoyed embedding Flash, Shockwave or Silverlight content inside files, time is about to run out on your unusual pastime.

Last week, Microsoft announced that, starting next month, Office 356 will start blocking these for monthly subscription users, with the same thing happening for business users on the Semi Annual (SA) Channel by January 2019.

There are a number of reasons why this is happening now, although Microsoft could have probably have pulled the feature a while ago without upsetting too many customers.

First and foremost is the end of support for Flash in less than two years, while Microsoft has been treating Silverlight like a bad smell since Windows 10 arrived in 2015.

Secondly, according to Microsoft barely anyone seems to be using this feature in Office 365, something it can be certain of given the visibility it has on what people are doing with its cloud platform.

Ironically, the one group that has shown a lot of enthusiasm for embedded Office controls are cybercriminals, who took to hiding malicious content inside otherwise harmless-looking Excel, PowerPoint and Word files.

Helped by a long sequence of Flash vulnerabilities, these attacks continue to this day. A good recent example of this was a zero-day attack on South Korean organisations using a Flash Player flaw channelled through Word (CVE-2018-4878).

We believe this is another step forward in elevating the security of Office. One that protects our users from malicious attacks without disrupting day to day productivity for most of them.

The blocking is only for Office 365 and doesn’t apply to standalone versions of Office 2016, Office 2013 or Office 2010, although in theory Microsoft could update these at some point.

Anyone who wants to implement the blocking change manually can do so using the long-established COM object kill bit setting or, in the case of Flash, via Office’s Group Policy settings.

Given that it looks as if anyone concerned about malicious embedded Flash can already implement a block, it’s obvious that Microsoft is intervening because it thinks that some users simply wouldn’t bother. That would have security implications.

A caveat worth noting:

This change does not cover scenarios where these controls are activated outside the Office process, for example, a Flash video inserted into a document via the Insert Online Video functionality.

In case the difference between this and embedding isn’t clear, inserting a Flash video is under the control of the browser and its merry sandbox rather than Office 365.